Secure login

The 25 worst passwords of 2012, and easy ways to avoid them

Bad passwords never die -- in fact, they don’t even fade away.

SplashData just released its annual list of the most common passwords stolen and posted by hackers, and if the list has a familiar look, it’s because most of the same passwords have appeared on past lists. In fact, this year’s top three -- "password," "123456," and "12345678" -- also finished one-two-three on SplashData’s 2011 list.

The passwords below are not only the most common, they are also virtually useless at protecting an account. They’re likely the first passwords a hacker would try when breaking in. As SplashData noted in announcing the list, “Users of any of these passwords are the most likely to be victims in future breaches.”

The 2012 list, drawn from millions posted online, compared with where each password stood on the 2011 list:

1. password  (unchanged from 2011)
2. 123456 (unchanged)
3. 12345678 (unchanged)
4. abc123 (up 1)
5. qwerty (down 1)
6.  monkey  (unchanged)
7.  letmein  (up 1)
8.  dragon  (up 2)
9. 111111 (up 3)
10. baseball  (up 1)
11. iloveyou  (up 2)
12. trustno1 (down 3)
13. 1234567 (down 6)
14. sunshine (up 1)
15. master (down 1)
16. 123123 (up 4)
17. welcome  (new)
18. shadow (up 1)
19. ashley (down 3)
20. football (up 5)
21. jesus (new)
22. michael (up 2)
23. ninja  (new)
24. mustang (new)
25. password1 (new)

Of course, many public-sector agencies wouldn’t allow these kinds of passwords, because they often require longer passwords and minimum use of upper- and lower-case letters and special characters. And two-factor authentication provides another level of protection to agency systems.

But employees sometimes do access outside sites from work, which could at least open them up to phishing attacks on their agency e-mail addresses. In an attack in March on a military dating site, for instance, hackers were able to crack weak passwords belonging to users with military e-mail addresses.

Maintaining a set of strong passwords for network systems and websites is a pain for users, but SplashData recommends a few ways to make it easier, such as mixing in different types of characters and even using simple, easily remembered phrases separated by spaces, underscores or other characters. Two examples: “eat cake at 8!” and “car_park_city?”

Password management applications also can help users keep track of their passwords and avoid using the same password for multiple sites, which is another bad practice, especially when mixing, say, entertainment and social networking sites with financial services, SplashData said.

One other trick: If you use a password that appears on the list, change it.

And as easy as it is to blame users, sites that allow weak passwords — some on the list consist of five or six lower case letters — are culpable too. People will take the path of least resistance, especially if they don’t think of themselves as a target. Sites that want to protect users could require a little more rigor.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Tue, Nov 13, 2012 mercdragon Washington, DC

Posted list on bulliten board. Amusing to watch the expressions as people read the list and grins turned to embarrassment. Several may have changed them by now. Take care and be safe. pfb

Thu, Oct 25, 2012 prafulbhai desai India

whatever safeguards you build and provide for free,mind you heckers are one step ahead of risk managers

Wed, Oct 24, 2012 Ron

A password that our office uses too frequently is P@$$w0rd.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above